CVE-2025-10383: 
WordPress vulnerability analysis and mitigation

The Contest Gallery – Upload, Vote & Sell with PayPal and Stripe plugin for WordPress is vulnerable to Stored Cross-Site Scripting (XSS) in versions up to and including 27.0.2. The vulnerability was discovered and disclosed on October 4, 2025 (NVD).

The vulnerability exists due to insufficient input sanitization and output escaping on user-supplied attributes in multiple form field parameters. This security flaw allows authenticated attackers with author-level access or higher to inject arbitrary web scripts into pages. The vulnerability has been assigned a CVSS v3.1 base score of 6.4 MEDIUM (Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N) (NVD).

When exploited, this vulnerability allows attackers to inject malicious scripts that execute whenever a user accesses an affected page. This can lead to potential theft of sensitive information, session hijacking, or other malicious actions performed in the context of the affected user's browser (NVD).

Users should update to a version newer than 27.0.2 when available. Until then, it is recommended to restrict access to the plugin's form field parameters to trusted users only (NVD).